Accenture MxDR Quick Start Guide for AER Access in Defender for Endpoint

Owned by KS
Last updated: Jan 19, 2024
9 min read

The following guide will provide you with instructions to setup the Accenture MxDR Microsoft Defender for Endpoint service.

The document includes the following topics:

Introduction

The Accenture Managed Extended Detection Response (MxDR) service delivers visibility and response, where Accenture SOC analysts' action suspicious threat activities and find emerging and unknown threats across on-premises and cloud endpoints using forensics data coupled with machine learning analytics and the Accenture Global Intelligence Network. MxDR allows for close collaboration and seamless handoff of incident intelligence and helps to prioritize efforts and relieve security teams of valuable time and effort that would have been spent investigating incident alerts and detecting and responding to advanced attacks.

Overview

The Microsoft Defender for Endpoint MxDRservice has three primary components:

  • Log Collection Platform (LCP)

  • Microsoft Defender for Endpoint Console

  • Endpoint Management

Log Collection Platform (LCP)

The Log Collection Platform (LCP) is designed to collect, compress, and send your log data securely to Accenture MxDR. The LCP is deployed in the Accenture Security Cloud and pulls the data directly from Microsoft Defender for Endpoint via API (application programming interfaces).

Note: No client hardware or network access is needed.

Microsoft Defender for Endpoint

The Microsoft Defender for Endpoint Console will be co-managed by Accenture MxDR for shared services with client. After signing-up for the service, client’s will be provided with list of Accenture MxDR users that will need accounts created in the Microsoft Security Center. This will grant Accenture MxDR access to the client’s Microsoft Defender for Endpoint data.

Access Control

  • Accounts for Accenture will be managed by the client.

    • User permissions and roles should align with Access guidelines referenced below.

Event Data and Detections

  • Detections will flow from the client to Accenture MxDR via the API o Detections can be managed by either Accenture MxDR or the client

  • SIEM (Security Information Event Management) Connections for Detections o Accenture will consume detection data directly from Microsoft Defender for Endpoint API

Policy Management

  • Accenture MxDR will have access to policy management, but clients will handle managing these policies. Unless pre-authorized to do so, Accenture MxDR will not update policies.

Endpoint Management

  • Microsoft Defender for Endpoint installation and management are the responsibility of the client. If applicable, remediation is performed by MxDR analysts via the Microsoft Defender for Endpoint Console

Configuring Access

The following steps should be followed by the client to create user accounts for the MxDR analysts who will require access to the Microsoft Defender for Endpoint console.

Connected Organization

To enable role-based access to Microsoft Security Center, you need to connect to the Accenture organization. To do this, please follow the steps below:

  1. Navigate to Azure Active Directory and select the Identity Governance section

image-20231221-095512.png

  1. Then select Connected Organizations under the Entitlement management section

image-20231221-095643.png

  1. Select Add connected organization

    1. Type “Accenture” in the search bar

  1. Populate the data in accordance with the directions & screenshot below:

a. Basics

i. Name = Accenture MxDR

ii. Description = Access for Accenture MxDR (or tailored to the client’s preference)

b. Directory & Domain

i. Select Add directory + domain, then type”Accenture.com” in the search bar

c. Sponsors

i. Add an internal sponsor

Note: Your Senior Analyst can be added as an external sponsor later in the guide

d. Review & Create

i. Review all input data, then select Create

Group Creation and Role Creation

1. Navigate back to Azure AD and select Groups

  1. Select New Group and create the following two security groups:

    1. MDE-ACN-MxDR-Analyst-AD-Group

    2. MDE-ACN-MxDR-Responder-AD-Group

  1. Enter in the data according to the screenshot below, then select Create:

    1. Group Name = MDE-ACN-MxDR-Responder-AD-Group

    2. Group Description = Accenture MxDR Responder Access

    3. Group Type = Security or Assign the “Security Reader” Role to the group

    4. Membership Type = Assigned

Note: Members will be Accenture based individuals, where as the Owner will be an Internal based individual

e. Ensure you Select Yes for “Azure AD Roles can be assigned to the group” - This is so that we can assign the “Security Reader” role based permissions.

  1. Navigate away from Azure AD & back to the Microsoft 365 Defender Console, then select Settings and then Endpoints

  1. Scroll to Roles (Permissions), then select Add Item

 

  1. Create MDE-ACN-MxDR-Analyst-Role with the permissions selected below, and assign it to Azure AD group MDE-ACN-MxDR-Analyst-AD-Group by selecting it from list of all available Azure AD groups, and clicking Add selected groups

 

  1. Create MDE-ACN-MxDR-Responder-Role with the permissions selected below, and assign it to Azure AD group MDE-ACN-MxDR-Responder-ADGroup by selecting it from list of all available Azure AD groups, and clicking Add selected groups

Create Access Packages for MxDR Resources

1. Navigate back to Azure AD and select Identity Governance

  1. Select Create an Access Package and add New Access Package.

  1. You will create an access package for each of the two MxDR Analyst & Responder roles, and enter in the data following the screenshot below:

    1. Basics

      1. Name = Tier 1 Analyst

      2. Description = Tier 1 Analyst Access

      3. Catalog = General

b. Resource Roles

i. Select Groups & Teams

ii. Select the checkbox for “See all group and Teams...”

iii Search for the Group you previously created:

1. MDE-ACN-MxDR-Analyst-AD-Group

OR

2. MDE-ACN-MxDR-Responder-AD-Group

iv. Select “Member” as the Role.

c. Requests

i. Select “For users not in your directory

ii. Select Specific connected organizations

iii. Select “Add Directories” then select Accenture

iv. Select Require Approval = Yes

v. Require requestor justification = Yes

vi. How many stages = 1 (or 2 depending on client’s preference)

vii. First Approver = Internal Sponsor

viii. Decision = Any amount of days up to 14

ix. Require approver justification = Yes

x. Enable new requests = Yes

d. Requestor Information

xi. Enter the Question you would like the requestor to answer when requesting access to the Defender console (i.e., “Why are you requesting access?”)

xii. Answer format = Short Text

xiii. Check Required Box

e. Lifecycle

xiv. Enter the data according to the screenshot below:

xv. Ensure you expand the “Show advanced expiration settings”

xvi. Select Reviewers, then Add Reviewers

xvii. Add reviewers according to client’s policy

xviii. Amend Advanced access review settings according to client’s policy:

f. Custom Extensions

i Not Required: You may disregard this section*

g. Review & Create

i. Review all input data, then select Create

ii. The following is an example access package:

  1. Repeat the same process in step #3. for the MDE-ACN-MxDR-Responder-ADGroup

Provide Access Request Links to MxDR Resources

1. Navigate back to Azure AD and select Identity Governance

  1. Select Access Packages under Entitlement Management, then select the access package you just created in the earlier section for each role.

  1. Copy the link in the “My Access Portal Link” and provide it to your Accenture MxDR Service Manager and / or Sr. Analyst.

  1. Copy your tenant ID from Azure AD, Manage then Properties and provide it to your Accenture MxDR Service Manager and / or Sr. Analyst

  1. Have your Accenture MxDR Service Delivery Lead and / or Sr. Analyst confirm they have access to the Microsoft Defender for Endpoint Console.

  2. Go back and add the Sr. Analyst as an external sponsor for the Connected Organization and Access Packages.

  3. Verify the Sr. Analyst can approve new users via the My Access Portal Link supplied previously in step #3.

Additional Configuration Validation

Device Groups Settings

Device Groups

In an enterprise scenario, security operation teams are typically assigned a set of devices. These devices are grouped together based on a set of attributes such as their domains, computer names, or designated tags.

It’s essential that the Role based access Groups created previously in this guide are associated with each Device Group so that your Accenture MxDR team has proper access to each device, and all the incidents & alerts generated by these devices.

  1. To validate your Device Group settings, navigate to Settings > Endpoints > Permissions > Device groups

  1. Select each Device Group, then Select User Access

  1. Validate that both the “Analyst” & “Responder” groups are associated with each Device Group.

  2. Select Done

Recommended EDR Settings within Microsoft Defender

1. To validate your EDR Settings, navigate to Settings -> Endpoints -> Advanced Features

2. We recommend you enable the following features if they are not already enabled by default:

a. Automated Investigation

b. Live Response

c. Live Response for Servers

d. Enable EDR in Block Mode

e. Automatically Resolve Alerts

f. Allow or Block File

g. Tamper Protection

h. Show User Details

i. Web Content Filtering

j. Download quarantined Files

k. Authenticated Telemetry

l. Device Discovery

m. Preview Features

Validating Role Access – Enabling “Security Reader” Access

  1. Sign in to Azure AD portal using your Microsoft account.

  2. Select Azure Active Directory on the left.

  3. Navigate to Roles and administrators.

  4. Click the Security administrator or Security Reader role.

  1. Click Add member and select the account that you want to assign the role to (i.e. to the Roles that were created)

Appendix

Additional Notes

Adding Users

Add your Senior Analyst as the first assigned user (remember to go back and add them as the external sponsor for the Connected Organization).

Policies should be applied to Access Packages where approval requests are sent to the internal sponsoring user to approve or deny requests.

MxDR Analysts will submit access requests via the access link provided in the overview page of each Access Package as mentioned in the Access Request Link section.

Accessing Security Center

Collect the tenet ID from Azure Active Directory > Properties and provide it to your service delivery lead. The MxDR team will access the security center with the tenet ID appended to the following URL: https://securitycenter.windows.com?tid=customer_tenant_id

Pre-Installation Questionnaire (PIQ)

The pre-installation questionnaire (PIQ) is used to capture device and network details from your environment to begin the onboarding process. The PIQ requires information about the network ranges eligible for pre-authorized containment if applicable, how you will deploy the agent, and information about your current environment.

  • An Accenture MxDR Engineer will supply the PIQ for the client to complete via email or Service Request within the MxDR portal.

  • The client is expected to complete the PIQ and return it to the MxDR Engineer for processing.

  • Complete and return the PIQ – If remediation is authorized, the network range(s) of the hosts authorized for remediation must be defined in proper section of PIQ.

FAQ (Frequently Asked Question)

Will Accenture MxDR handle deployment of Microsoft Defender for Endpoint to new clients? No. Accenture MxDR will have co-management access to Microsoft Defender for Endpoint console to supply MxDR service, but this will not include deployment of agents.

Will Accenture MxDR update the Microsoft Defender Endpoint agent configurations? We will update the Endpoint Detection & Response (EDR) policy (blacklist, whitelist, etc.) if authorized. We will not update the endpoint policies (AV signatures, firewall rules, etc.).

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.